Network Templates

This document explains how to use and configure your network settings by listing all current and experimental network templates, their options and use cases.

Introduction

Funtoo Linux has its own core network configuration system that differs somewhat from upstream network configuration systems used in Gentoo Linux and OpenRC.

In this document, I will explain the templating system and list the templates' variables and explain their purpose.

A Gentle Introduction to Funtoo Network Configuration

Before I get into the technical details of configuring your network, it's important to understand that Funtoo Linux has a number of different options available to you for network configuration, with more likely to be added in the future. Each approach is different and has its own strengths and weaknesses, and this is, in my opinion, a good thing.

The Template Overview

Here I will provide an at-a-glance look at the current and experimental templates.

Current Templates

The current templates provided within a stage3:

bond

Bonding and Teaming of Ethernet devices

Requires ifenslave package

bridge

A basic bridge template utilizing bridge-utils and userspace-utilities to create the bridge

Requires bridge-utils, and bridging module for kernel

bridge-dhcpd

Same as above, but with dhcpd providing the interface configuration

Requires bridge-utils, and dhcpd packages, and bridging module for kernel

bridge-openvswitch

Same as the basic bridge, but utilizing openvswitch package rather than the

Requires openvswitch package, and bridging module for kernel

dhcpd

DHCPD configuration for interfaces

Requires dhcpd package

interface

Generic interface configuration

interface-noip

Configure an interface with no IP. Generally used for physical slaves of a bridge

ipv6-tunnel

Configure an ipv6 tunnel using iproute2

tap

Create a tap device. Generally used as a bridge slave.

requires userspace-utilities package

Experimental Templates

Current experimental templates provided by Setsuna-Xero are available on his [GitHub Repo] and consist of updated Corenetwork templates to reduce depenancies, extend support, and utilize iproute2 over usermode tools, as well as new templates. These templates were created to eliminate the depandancy on depricated network tools in favour of iproute2 tools. If you find any depricated tools used, please let Setsuna-Xero know so he can update the templates.

bond

Bonding and Teaming of Ethernet devices utilizing iproute2

Supports all major bonding protocols

bridge

A basic bridge template utilizing iproute2

Requires bridging module for kernel

bridge-dhcpd

Same as above, but with dhcpd providing the interface configuration

Requires dhcpd packages, and bridging module for kernel

bridge-openvswitch

Same as the basic bridge, but utilizing openvswitch package rather than the kernel provided utitlities.

Requires and openvswitch packages, and bridging module for kernel

dhcpd

DHCPD configuration for interfaces

Requires dhcpd package

interface

Generic interface configuration

interface-noip

Configure an interface with no IP. Generally used for physical slaves of a bridge

ipv6-tunnel

Configure an ipv6 tunnel using iproute2

tap

Create a tap device using iproute2

Generally used as a bridge slave.

bridge-vde

Create a bridge and tap device using iproute2, attached to a vde_switch

Used to provide easy bridged networking to VM guests

Requires vde package

vde-slirp

Create a vde_switch with tap and slirpvde process attached

Used to provide easy NAT networking to VM Guests

requires vde package

net.tmpl

Updated netif.tmpl

Required to use templates

Template Specifications

For servers and advanced networking scenarios, Funtoo Linux offers its own modular, template-based network configuration system. This system offers a lot of flexibility for configuring network interfaces, essentially serving as a "network interface construction kit." This system can be used by itself, or even combined with dhcpcd, as shown in the previous section.

Here are the key components of the template-based network configuration system:

/etc/init.d/netif.lo

An init script that configures the localhost interface. This script is always enabled and is part of the boot process.

/etc/netif.d

This is a directory that contains various network configuration templates. Each of these templates is focused on configuring a particular type of network interface, such as a general static IP-based interface, a bridge interface, a bond interface, etc.

/etc/init.d/netif.tmpl

This is the master init script for the template-based network configuration system. New interfaces are added to your system by creating symbolic links to this file in /etc/init.d.

So, if you wanted to use this system to configure eth0 with a static IP address, you would create a netif.eth0 symlink to netif.tmpl as follows:

# cd /etc/init.d
# ln -s netif.tmpl netif.eth0

Then, you would create an /etc/conf.d/netif.eth0 configuration file that would specify which template to use from the /etc/netif.d directory:

When configuring your own static network interface, one of ipaddr or ipaddrs is required and should specify the IP address(es) to configure for this interface, in "a.b.c.d/netmask" format. Optional parameters include gateway, which defines a default gateway for your entire network, and if set should specify the gateway's IP address. In addition, domain and nameservers (space-separated if more than one) can be used to specify DNS information for this interface.

Configuration Variables

Interface Variables

The ipaddr, ipaddrs, and ipaddr6, ipaddrs6 variables are supported by the interface and bridge templates, and are used to specify a single or multiple IPv4 or IPv6 address(es) for the interface. IP addresses should be specified in 'IP/netmask' format, such as 10.0.0.1/24. Multiple IP addresses can be specified delimited by whitespace:
For ipv4 addresses use:

ipaddrs="10.0.0.1/24 10.0.0.2/24"

For ipv6 addresses use:

ipaddrs6="2001:db8::1234/32 2001:db8::abcd/32"

Broadcast Address

By default, a broadcast address will be calculated based on the IP address and network mask. If you need to manually specify a broadcast address, use the following format for your IP address:

ipaddrs="10.0.0.1/24;broadcast=10.0.1.255 10.0.0.2/24"

Not Specifying An Address

Note that in some cases, you may choose to not specify ipaddr or ipaddrs for a bridge template. That is allowed. If you don't want to specify an IP address for a regular interface, you can choose to use the interface template without an IP address specified in the config, or use the interface-noip template instead, for the sake of clarity.

Viewing All Configured IP Addresses

Also note that if you specify multiple IPv4 addresses, ifconfig will only show the first IP address. To view all IP addresses associated with the interface, use the ip addr show command.

General Variables

The following variables are enabled by default for all network scripts, and if specified will trigger a corresponding configuration action:

nameservers

Set DNS nameservers using OpenResolv. Specify multiple IPv4 or IPv6 nameservers like this: "1.2.3.4 1.2.3.5 1.2.3.6". Please note that OpenResolv treats 127.0.0.1 specially, and it indicates that you are running a local name resolver like dnsmasq or bind. OpenResolv will ignore all other name servers specified alongside 127.0.0.1. See man resolvconf and man resolvconf.conf for additional setup information.

search

Set DNS search information using OpenResolv.

domain

Set DNS domain using OpenResolv.

gateway

Define a default IPv4 gateway on this interface.

gateway6

Define a default IPv6 gateway on this interface.

route

Specify a semi-colon delimited list of IPv4 routes to apply when this interface is brought up. Will be appended to ip -4 route add.

route6

Specify a semi-colon delimited list of IPv6 routes to apply when this interface is brought up. Will be appended to ip -6 route add.

mtu

Set Maximum Transmit Unit for the interface.

macaddr

Sets a MAC address on a tap interface. This is usefull for avoiding layer2 address collisions when using large numbers of TUN interfaces (KVM, openVPN, ect).

This option will rename the interface if it detects the address in /etc/mactab, or will assign the new macarr to the interface.

VLAN Variables

VLAN support is enabled by default for all network configuration scripts. If a network script has a name in the format netif.ethX.Y, then it is assumed to be a VLAN interface referencing trunk ethX and VLAN ID Y. If you desire a custom name for your VLAN interface, you can name your interface whatever you'd like and specify the following variables in your interface config:

trunk

VLAN trunk interface, e.g. "eth0"

vlan

VLAN id, e.g. "32"

Bridge / Tap / Bond Variables

The following variables for configuring a functional bridge interface with optional tap interfaces:

slaves

Set slave interfaces of this interface (for bridges, etc.) All slaves will automatically be depended upon, and will also automatically have their mtu set to that of the current interface, if an mtu is specified for the current interface. This setting is required for the bond template and optional for the bridge template.

stp

Enables Spanning Tree Protocol on a bridge interface like this "stp=on"

Not used with VDE based templates

forwarding

Enables forwarding on a bridge interface by calling sysctl; as this interface does not exist when sysctl is called by init, we do it here. If this is disabled, your bridge will not forward traffic back out onto the network. useage: "forwarding=1"

Note that 802.3.ad requires switch support, or one switch per interface

VDE / SlirpVDE Variables

The following Variables are used with the VDE and SlirpVDE based templates in addition to the bridge variables:

vde_tap

Sets the tap interface used for the vde_switch, defaults to ${interface) name for vde-slirp and to ${br_interface}-tap for bridge-vde

br_interface

Sets the bridge name for bridge-vde, defaults to $interface

vde_pidfile

Sets the location of the pidfile for the vde_switch, defaults to /var/tmp/vde.${br_interface}.pid

slip_pidfil

Sets the location of the pidfile for the vde_switch, defaults to /var/tmp/slirp.${interface}.pid

vde_sock

Sets the location of the socket file for the vde_switch, defaults to/var/tmp/vde.${br_interface}.ctl

vde_mgmt

Sets the location of the management socket file for the vde_switch, defaults to/var/tmp/vde.${br_interface}.mgmt

vde_rcfile

Sets the location of the rcfile file for the vde_switch

vde_group

Sets the group used for the vde_switch, defaults to kvm

vde_mode

Sets the octal mode for the vde_switch, defaults to 660

vde_hub

Enables(1) or Disables(default) hub mode on the vde_switch

slirp_redir_tcp

Redirects tcp ports on the host to the guest on the specified port

slirp_redir_udp

Redirects udp ports on the host to the guest on the specified port

slirp_redir_sock

Redirects a port on the slirpVDE host port to unix socket

slirp_redir_x

Redirects X screen sessions on the host to the guest on the specified port

slirp_dhcp

Enables SlirpVDE's dhcp server, defaults to 10.0.2.0/24

slirp_dhcp_start

Speficies the start of the dhcp server range, defaults to x.x.x.15-254

slirp_tftp

Enables tftp server, servering speficied folder, default off

slirp_host

Sets the host IP of the slirpvde virtual router if unicast address is used, if a network is specified it sets the dhcp scope as well, default is 10.0.2.2

slirp_dns

Sets the DNS-proxy on the slirpcde router, default is 10.0.2.3

OpenResolv and resolv.conf

OpenResolv will be used to set DNS information provided by the nameservers, domain and search variables when an interface is brought up. The OpenResolv framework will add entries to /etc/resolv.conf, and will also handle removing these entries when the interface is brought down. This way, /etc/resolv.conf should always contain current information and should not need to be manually edited by the system administrator. dhcpcd will use OpenResolv for updating system DNS information as well.

Network-Dependent Services

One important difference between Gentoo Linux and Funtoo Linux is that, in Funtoo Linux, network-dependent services only strictly depend on netif.lo. This means that if another network service requires an interface to be up, such as samba requiring eth0, then the system administrator must specify this relationship by adding the following line to /etc/conf.d/samba:

rc_need="netif.eth0"

This will have the effect of ensuring that netif.eth0 is started prior to samba and that samba is stopped prior to stopping netif.eth0.

Many network services, especially those that listen on all network intefaces, don't need an rc_need line in order to function properly. Avoiding the use of rc_need when required will optimize boot times and allow more network services to remain available when network interfaces are brought up and down by the system administrator.

Multiple Network Configurations

For information on how to have multiple, independent network configurations, please see Stacked Runlevels.

Alternate Configs

If you need to run the same service with different configuration parameters depending upon runlevel, then you'll be happy to know that you can specify runlevel-specific conf.d files by appending a .
<runlevel> suffix. In this particular example, we could imagine a situation where we had two child runlevels named home and work:

/etc/conf.d/netif.eth0.home
/etc/conf.d/netif.eth0.work

Note that this feature works for all init scripts, not just network configuration scripts.

Interface Renaming

Funtoo network scripts now support interface renaming, so you can create an interface called lan if you would like. To do this, simply specify the MAC address of the interface you would like to rename using the macaddr variable:

macaddr="00:15:17:19:b6:a3"

If this MAC address is part of the netif.lan configuration file, then when this interface starts, whatever interface currently has the MAC address of 00:15:17:19:b6:a3 (i.e. eth5) will be renamed to lan prior to the interface being brought up, and will show up in ifconfig and ip commands as being an interface named lan.

Basic VLAN Configuration

The standard interface template supports VLANs. To use VLAN support, first ensure that your kernel was compiled with VLAN support (the module name is 8021q) :

The Funtoo network configuration scripts will automatically recognize the filename netif.eth1.32 as being VLAN 32 of trunk interface netif.eth1.

When the VLAN interface is brought up, it will be named eth1.32.

Custom VLAN Names

However, sometimes you may want to turn off automatic file-based VLAN naming and give your VLAN interface a custom name, such as mgmt. To do this, you would set up the trunk interface in the exact same way as described above, but instead of creating a netif.eth1.32 interface, you would create a netif.mgmt interface, and specify vlan and trunk in the /etc/conf.d/netif.mgmt config file, as follows:

Bonding Configuration

Bonding allows you to aggregate multiple network interfaces into a single logical network interface, allowing for benefits in throughput as well as resiliency in the case that an individual interface may go down. This example shows how you would create a bonding interface (mybond) with a simple static ip setup, containing two slave devices (eth0 and eth1).

First, ensure that your kernel is configured to support bonding (the module name is bonding) :

$ grep CONFIG_BONDING /usr/src/linux/.config
CONFIG_BONDING=m

You'l want to ensure that CONFIG_BONDING is set to "m" or "y". You can find this kernel configuration option tucked under "Device Drivers" -> "Network Device Support" -> "Bonding driver support".
Be sure that ifenslave is emerged (this package included in Funtoo stage3):

For current template please install ifenslave. This is not required for experimental templates.

# emerge ifenslave

Once bonding is enabled in the kernel, you will need to choose at least two devices to bond together. These will be set up as "slave" interfaces with no IP address.

Then, configure the slave interfaces by creating /etc/conf.d/netif.eth0 and /etc/conf.d/netif.eth1 with the following contents:

template="interface-noip"

Now, we will create the bond interface and make netif.eth0 and netif.eth1 slaves of this interface. Note that our bond interface can have any name. To demonstrate this, we will give it the name of "mybond" below:

# ln -s netif.tmpl netif.mybond
# rc-update add netif.mybond default

Now we can configure "mybond" using its configuration file /etc/conf.d/netif.mybond, just as we would a regular interface, except that we specify slaves:
Current template configuration:

In a bonded configuration, it is common to set the MTU to the maximum possible value supported by hardware to maximize throughput. In order to do this, simply set the MTU option in /etc/conf.d/netif.mybond to the maximum value supported by your hardware. The network scripts will ensure that this MTU setting is applied to all slave interfaces:

mtu=9000

Bridge Configuration

When hosting virtual machines, it can be convenient to use a bridge setup. This example shows how you would create a bridge (br0) with a simple static ip setup, containing two slave devices (eth0, tap0).

First, ensure that your kernel is configured to support bridging and TUN/TAP (the module name is bridge and tun) :

VDE Bridge configuration

When hosting virtual machines, it can be convenient to use a bridge setup. This example shows how you would create a VDE bridge (vde0) with a simple static ip setup, containing two slave devices (eth0, vde0-tap). The advantage of using VDE on the bridge is that it requires only one tap interface, and allows for easier VM managment, also enables dynamic vlan managment.

First, ensure that your kernel is configured to support bridging and TUN/TAP (the module name is bridge and tun) :

You now have a vde_switch atached on vde0-tap passing traffic out the network VIA the bridge interface vde0. Attach your VMs or other socket based applications to the vde socket located at /var/tmp/vde.vde0.ctl or where ever you specified.

SlirpVDE configuration(NAT)

When hosting virtual machines, it can be convenient to use a NATing setup. This example shows how you would create a vde_switch with tap interface svde0 attached to a slirpvde virtual router. The advantage of using slirpvde is that it allows you easily configure a NATed virtual network with basic DHCP, and allows for easier VM managment, also enables dynamic vlan managment - usefull for VMs that need internet but can't talk to each other.

First, ensure that your kernel is configured to support TUN/TAP (the module name is tun) :

$ grep CONFIG_TUN /usr/src/linux/.config
CONFIG_TUN=m

Second, make sure you have the required software installed:

# emerge -av net-misc/vde

Then, create the necessary symlinks for the interfaces and add them to your default runlevel :

You now have a vde_switch atached on vde0-tap passing traffic out the network VIA the bridge interface vde0. Attach your VMs or other socket based applications to the vde socket located at /var/tmp/slirp.svde0.ctl or where ever you specified. By default the DHCP server is off, but virtual routing and dns-proxy are enabled on 10.0.2.2 and 10.0.2.3. DHCP leases start at 10.0.2.15.

More Complex Network Configuration

If the standard templates don't work for your needs, simply create a new template -- I recommend starting from the interface template for most things:

# cd /etc/netif.d
# cp interface custom

You can now call whatever commands you need to /etc/netif.d/custom. The following shell functions can be defined in a network script:

netif_create

In netif_create, you should call any commands to create the interface if it does not yet exist.

netif_depend

In netif_depend, you can define dependencies, using the functions need and use.

netif_pre_up

In netif_pre_up, you can define network configuration actions to perform prior to bringing the interface up. You can also ensure certain variables are specified by calling require var1 [var2...] here.

netif_post_up

In netif_post_up, you can define network configuration actions to perform after bringing the interface up.

netif_pre_down

In netif_pre_down, you can define network configuration actions to perform prior to bringing the interface down.

netif_post_down

In netif_post_down, you can define network configuration actions to perform after bringing the interface down.

netif_destroy

In netif_destroy, you can call any commands necessary to destroy/delete the interface if it is dynamic in nature (tun/tap, etc.)

How It Works

You do not specify a function for actually bringing up the interface, because the template-based system does this for you. The template-based system also performs all normal actions required to bring an interface down, so you only need to specify atypical actions that must be performed - such as removing child interfaces or destroying a bridge using brctl.

When you create your own network configuration template, the following capabilities are available for use automatically, as long as the appropriate variables are set in the /etc/conf.d/netif.<ifname> file, without requiring any explicit steps on your part:

DNS configuration using domain and nameservers config settings. OpenResolv is used automatically.

License

Copyright 2009-2011 Funtoo Technologies. You can redistribute and/or modify it under the terms of the 2-clause BSD license. Alternatively you may (at your option) use any other license that has been publicly approved for use with this program by Funtoo Technologies (or its successors, if any.)